Richard Haines via Selinux
2018-04-13 10:13:15 UTC
Enhance the tests as follows:
1) Determine number of tests to run with current config.
2) Add CALIPSO STREAM tests (DGRAM not supported in kernel. See [1]).
3) Add support for CIPSO TAGS 1 & 2. Closes [2].
4) Run scripts using /bin/sh.
5) Shorten sleep time as more tests.
[1] https://github.com/SELinuxProject/selinux-kernel/issues/24
[2] https://github.com/SELinuxProject/selinux-testsuite/issues/1
Signed-off-by: Richard Haines <***@btinternet.com>
---
tests/inet_socket/calipso-flush | 5 +
tests/inet_socket/calipso-load | 7 +
tests/inet_socket/cipso-fl-flush | 0
tests/inet_socket/cipso-fl-load | 0
tests/inet_socket/cipso-flush | 0
tests/inet_socket/cipso-load-t1 | 11 +
tests/inet_socket/cipso-load-t2 | 11 +
tests/inet_socket/{cipso-load => cipso-load-t5} | 0
tests/inet_socket/ipsec-flush | 0
tests/inet_socket/ipsec-load | 0
tests/inet_socket/iptables-flush | 0
tests/inet_socket/iptables-load | 0
tests/inet_socket/server.c | 16 +-
tests/inet_socket/test | 348 ++++++++++++++++++------
14 files changed, 310 insertions(+), 88 deletions(-)
create mode 100644 tests/inet_socket/calipso-flush
create mode 100644 tests/inet_socket/calipso-load
mode change 100755 => 100644 tests/inet_socket/cipso-fl-flush
mode change 100755 => 100644 tests/inet_socket/cipso-fl-load
mode change 100755 => 100644 tests/inet_socket/cipso-flush
create mode 100644 tests/inet_socket/cipso-load-t1
create mode 100644 tests/inet_socket/cipso-load-t2
rename tests/inet_socket/{cipso-load => cipso-load-t5} (100%)
mode change 100755 => 100644
mode change 100755 => 100644 tests/inet_socket/ipsec-flush
mode change 100755 => 100644 tests/inet_socket/ipsec-load
mode change 100755 => 100644 tests/inet_socket/iptables-flush
mode change 100755 => 100644 tests/inet_socket/iptables-load
mode change 100755 => 100644 tests/inet_socket/test
diff --git a/tests/inet_socket/calipso-flush b/tests/inet_socket/calipso-flush
new file mode 100644
index 0000000..5143962
--- /dev/null
+++ b/tests/inet_socket/calipso-flush
@@ -0,0 +1,5 @@
+#!/bin/sh
+# Reset NetLabel configuration to unlabeled after CALIPSO/IPv6 tests.
+netlabelctl map del default
+netlabelctl calipso del doi:16
+netlabelctl map add default protocol:unlbl
diff --git a/tests/inet_socket/calipso-load b/tests/inet_socket/calipso-load
new file mode 100644
index 0000000..4bb9c7f
--- /dev/null
+++ b/tests/inet_socket/calipso-load
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Define a doi for testing loopback for CALIPSO/IPv6.
+netlabelctl calipso add pass doi:16
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:::1 protocol:calipso,16
diff --git a/tests/inet_socket/cipso-fl-flush b/tests/inet_socket/cipso-fl-flush
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/cipso-fl-load b/tests/inet_socket/cipso-fl-load
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/cipso-flush b/tests/inet_socket/cipso-flush
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/cipso-load-t1 b/tests/inet_socket/cipso-load-t1
new file mode 100644
index 0000000..974e746
--- /dev/null
+++ b/tests/inet_socket/cipso-load-t1
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Based on http://paulmoore.livejournal.com/7234.html.
+#
+# Modifications:
+# - Defined a doi for testing loopback for CIPSOv4.
+
+netlabelctl cipsov4 add pass doi:16 tags:1
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
diff --git a/tests/inet_socket/cipso-load-t2 b/tests/inet_socket/cipso-load-t2
new file mode 100644
index 0000000..9892f81
--- /dev/null
+++ b/tests/inet_socket/cipso-load-t2
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Based on http://paulmoore.livejournal.com/7234.html.
+#
+# Modifications:
+# - Defined a doi for testing loopback for CIPSOv4.
+
+netlabelctl cipsov4 add pass doi:16 tags:2
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
diff --git a/tests/inet_socket/cipso-load b/tests/inet_socket/cipso-load-t5
old mode 100755
new mode 100644
similarity index 100%
rename from tests/inet_socket/cipso-load
rename to tests/inet_socket/cipso-load-t5
diff --git a/tests/inet_socket/ipsec-flush b/tests/inet_socket/ipsec-flush
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/iptables-flush b/tests/inet_socket/iptables-flush
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/iptables-load b/tests/inet_socket/iptables-load
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c
index 2801397..c8383b4 100644
--- a/tests/inet_socket/server.c
+++ b/tests/inet_socket/server.c
@@ -79,11 +79,17 @@ int main(int argc, char **argv)
perror("socket");
exit(1);
}
- result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on));
- if (result < 0) {
- perror("setsockopt: SO_PASSSEC");
- close(sock);
- exit(1);
+
+ /* Allow retrieval of UDP/Datagram security contexts for IPv4 as
+ * IPv6 is not currently supported.
+ */
+ if (hints.ai_socktype == SOCK_DGRAM) {
+ result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on));
+ if (result < 0) {
+ perror("setsockopt: IP_PASSSEC");
+ close(sock);
+ exit(1);
+ }
}
result = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
diff --git a/tests/inet_socket/test b/tests/inet_socket/test
old mode 100755
new mode 100644
index 0bda2a4..6684260
--- a/tests/inet_socket/test
+++ b/tests/inet_socket/test
@@ -2,27 +2,43 @@
use Test::More;
BEGIN {
- # check if ip xfrm supports ctx parameter
- if ( system("ip xfrm policy help 2>&1 | grep -q ctx") != 0 ) {
- plan skip_all => "ctx not supported in ip xfrm policy";
+ $basedir = $0;
+ $basedir =~ s|(.*)/[^/]*|$1|;
+
+ $test_count = 38;
+
+ $test_ipsec = 0;
+ if ( system("ip xfrm policy help 2>&1 | grep -q ctx") eq 0 ) {
+ $test_count += 8;
+ $test_ipsec = 1;
}
- else {
- plan tests => 33;
+
+ # Determine if CALIPSO supported by netlabelctl(8) and kernel.
+ $test_calipso_stream = 0;
+ $netlabelctl = `netlabelctl -V`;
+ $netlabelctl =~ s/\D//g;
+ $kvercur = `uname -r`;
+ chomp($kvercur);
+ $kverminstream = "4.8";
+
+ $rc = `$basedir/../kvercmp $kvercur $kverminstream`;
+ if ( $netlabelctl gt "021" and $rc > 0 ) {
+ $test_count += 3;
+ $test_calipso_stream = 1;
}
-}
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+ plan tests => $test_count;
+}
-# Load NetLabel configuration for full CIPSO4 labeling over loopback.
-system "$basedir/cipso-fl-load";
+# Load NetLabel configuration for full CIPSO/IPv4 labeling over loopback.
+system "/bin/sh $basedir/cipso-fl-load";
# Start the stream server.
if ( ( $pid = fork() ) == 0 ) {
exec "runcon -t test_inet_server_t $basedir/server stream 65535";
}
-sleep 1; # Give it a moment to initialize.
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
# Verify that authorized client can communicate with the server.
$result =
@@ -42,7 +58,7 @@ if ( ( $pid = fork() ) == 0 ) {
exec "runcon -t test_inet_server_t $basedir/server dgram 65535";
}
-sleep 1; # Give it a moment to initialize
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize
# Verify that authorized client can communicate with the server.
$result =
@@ -58,32 +74,90 @@ ok( $result >> 8 eq 9 );
kill TERM, $pid;
# Flush NetLabel configuration.
-system "$basedir/cipso-fl-flush";
+system "/bin/sh $basedir/cipso-fl-flush";
+
+# Load NetLabel configuration for CIPSO/IPv4 using TAG 1 over loopback.
+system "/bin/sh $basedir/cipso-load-t1";
+
+# Start the stream server with a defined level.
+if ( ( $pid = fork() ) == 0 ) {
+ exec
+"runcon -t test_inet_server_t -l s0:c20.c250 $basedir/server stream 65535";
+}
+
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
+
+# Verify that authorized client can communicate with the server using level within T1 range.
+$result = system
+"runcon -t test_inet_client_t -l s0:c61.c239 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c61.c239 stream 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify that authorized client cannot communicate with the server using different level.
+$result = system
+"runcon -t test_inet_client_t -l s0:c19,c120 $basedir/client stream 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 5 );
+
+# TAG 1 allows categories 0 to 239 to be sent, if greater then ENOSPC (No space left on device)
+$result = system
+"runcon -t test_inet_client_t -l s0:c0.c240 $basedir/client stream 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 5 );
+
+# Kill the server.
+kill TERM, $pid;
+
+# Start the dgram server with a defined level.
+if ( ( $pid = fork() ) == 0 ) {
+ exec
+ "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server dgram 65535";
+}
+
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
+
+# Verify that authorized client can communicate with the server using same levels.
+$result = system
+"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify that authorized client cannot communicate with the server using levels dominating the server.
+$result = system
+"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 9 );
+
+# Kill the server.
+kill TERM, $pid;
+
+# Flush NetLabel configuration.
+system "/bin/sh $basedir/cipso-flush";
-# Load NetLabel configuration for CIPSO4 over loopback.
-system "$basedir/cipso-load";
+# Load NetLabel configuration for CIPSO/IPv4 using TAG 2 over loopback.
+system "/bin/sh $basedir/cipso-load-t2";
# Start the stream server with a defined level.
if ( ( $pid = fork() ) == 0 ) {
exec
- "runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream 65535";
+ "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server stream 65535";
}
-sleep 1; # Give it a moment to initialize.
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
# Verify that authorized client can communicate with the server using level.
$result = system
-"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream 127.0.0.1 65535";
+"runcon -t test_inet_client_t -l s0:c90.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c90.c100 stream 127.0.0.1 65535";
ok( $result eq 0 );
# Verify that authorized client can communicate with the server using level.
$result = system
-"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream 127.0.0.1 65535";
+"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 stream 127.0.0.1 65535";
ok( $result eq 0 );
# Verify that authorized client cannot communicate with the server using different level.
$result = system
-"runcon -t test_inet_client_t -l s0:c8.c12 $basedir/client stream 127.0.0.1 65535 2>&1";
+"runcon -t test_inet_client_t -l s0:c101 $basedir/client stream 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 5 );
+
+# TAG 2 allows a maximum of 15 categories in exchange, if greater then ENOSPC (No space left on device)
+$result = system
+"runcon -t test_inet_client_t -l s0:c0.c16 -- $basedir/client dgram 127.0.0.1 65535 2>&1";
ok( $result >> 8 eq 5 );
# Kill the server.
@@ -92,26 +166,95 @@ kill TERM, $pid;
# Start the dgram server with a defined level.
if ( ( $pid = fork() ) == 0 ) {
exec
- "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server dgram 65535";
+ "runcon -t test_inet_server_t -l s0:c0.c14 $basedir/server dgram 65535";
}
-sleep 1; # Give it a moment to initialize.
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
# Verify that authorized client can communicate with the server using same levels.
$result = system
-"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1 65535";
+"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 dgram 127.0.0.1 65535";
ok( $result eq 0 );
# Verify that authorized client cannot communicate with the server using levels dominating the server.
$result = system
-"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram 127.0.0.1 65535 2>&1";
+"runcon -t test_inet_client_t -l s0:c15 $basedir/client dgram 127.0.0.1 65535 2>&1";
ok( $result >> 8 eq 9 );
# Kill the server.
kill TERM, $pid;
# Flush NetLabel configuration.
-system "$basedir/cipso-flush";
+system "/bin/sh $basedir/cipso-flush";
+
+# Load NetLabel configuration for CIPSO/IPv4 using TAG 5 over loopback.
+# TAG 5 allows a maximum of 7 ranges in exchange, if greater then ENOSPC (No space left on device), however
+# note from kernel net/ipv4/cipso_ipv4.c comments:
+# * You may note that the IETF draft states that the maximum number
+# * of category ranges is 7, but if the low end of the last category range is
+# * zero then it is possible to fit 8 category ranges because the zero should
+# * be omitted. */
+system "/bin/sh $basedir/cipso-load-t5";
+
+# Start the stream server with a defined level.
+if ( ( $pid = fork() ) == 0 ) {
+ exec
+ "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server stream 65535";
+}
+
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
+
+# Verify that authorized client can communicate with the server using level.
+$result = system
+"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 stream 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify that authorized client can communicate with the server using level.
+$result = system
+"runcon -t test_inet_client_t -l s0:c8.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c100 stream 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify that authorized client cannot communicate with the server using different level.
+$result = system
+"runcon -t test_inet_client_t -l s0:c8.c101 $basedir/client stream 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 5 );
+
+# Verify ok with the 8 entries when cat c0:
+$result = system
+"runcon -t test_inet_client_t -l s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 stream 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify fail with the 8 entries when cat !c0:
+$result = system
+"runcon -t test_inet_client_t -l s0:c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88,c90.c99 $basedir/client stream 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 5 );
+
+# Kill the server.
+kill TERM, $pid;
+
+# Start the dgram server with a defined level.
+if ( ( $pid = fork() ) == 0 ) {
+ exec
+ "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server dgram 65535";
+}
+
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
+
+# Verify that authorized client can communicate with the server using same levels.
+$result = system
+"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 dgram 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify that authorized client cannot communicate with the server using levels dominating the server.
+$result = system
+"runcon -t test_inet_client_t -l s0:c40.c101 $basedir/client dgram 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 9 );
+
+# Kill the server.
+kill TERM, $pid;
+
+# Flush NetLabel configuration.
+system "/bin/sh $basedir/cipso-flush";
# Verify that authorized domain can bind UDP sockets.
$result = system "runcon -t test_inet_bind_t -- $basedir/bind dgram 65535 2>&1";
@@ -151,91 +294,96 @@ $result =
system "runcon -t test_inet_no_name_connect_t -- $basedir/connect 65535 2>&1";
ok($result);
-# Load IPSEC configuration.
-system "$basedir/ipsec-load";
+if ($test_ipsec) {
-# Start the stream server.
-if ( ( $pid = fork() ) == 0 ) {
- exec "runcon -t test_inet_server_t $basedir/server stream 65535";
-}
+ # Load IPSEC configuration.
+ system "/bin/sh $basedir/ipsec-load";
-sleep 1; # Give it a moment to initialize.
+ # Start the stream server.
+ if ( ( $pid = fork() ) == 0 ) {
+ exec "runcon -t test_inet_server_t $basedir/server stream 65535";
+ }
-# Verify that authorized client can communicate with the server.
-$result =
- system "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535";
-ok( $result eq 0 );
+ select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
+ # Verify that authorized client can communicate with the server.
+ $result =
+ system
+ "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535";
+ ok( $result eq 0 );
+
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
"runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 5 );
+ ok( $result >> 8 eq 5 );
-# Verify that authorized client can communicate with the server.
-$result =
- system "runcon -t test_inet_client_t $basedir/client stream ::1 65535";
-ok( $result eq 0 );
+ # Verify that authorized client can communicate with the server.
+ $result =
+ system "runcon -t test_inet_client_t $basedir/client stream ::1 65535";
+ ok( $result eq 0 );
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
- "runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1";
-ok( $result >> 8 eq 5 );
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
+"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1";
+ ok( $result >> 8 eq 5 );
-# Kill the server.
-kill TERM, $pid;
+ # Kill the server.
+ kill TERM, $pid;
-# Start the dgram server.
-if ( ( $pid = fork() ) == 0 ) {
- exec "runcon -t test_inet_server_t $basedir/server dgram 65535";
-}
+ # Start the dgram server.
+ if ( ( $pid = fork() ) == 0 ) {
+ exec "runcon -t test_inet_server_t $basedir/server dgram 65535";
+ }
-sleep 1; # Give it a moment to initialize
+ select( undef, undef, undef, 0.25 ); # Give it a moment to initialize
-# Verify that authorized client can communicate with the server.
-$result =
- system "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535";
-ok( $result eq 0 );
+ # Verify that authorized client can communicate with the server.
+ $result =
+ system
+ "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535";
+ ok( $result eq 0 );
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
"runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 8 );
+ ok( $result >> 8 eq 8 );
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
- "runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1";
-ok( $result >> 8 eq 8 );
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
+"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1";
+ ok( $result >> 8 eq 8 );
-# Kill the server.
-kill TERM, $pid;
+ # Kill the server.
+ kill TERM, $pid;
# Start the dgram server for IPSEC test using IPv6 but do not request peer context.
-if ( ( $pid = fork() ) == 0 ) {
- exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535";
-}
+ if ( ( $pid = fork() ) == 0 ) {
+ exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535";
+ }
-sleep 1; # Give it a moment to initialize
+ select( undef, undef, undef, 0.25 ); # Give it a moment to initialize
-# This test now passes.
-$result = system
- "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
-ok( $result eq 0 );
+ # This test now passes.
+ $result = system
+ "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
+ ok( $result eq 0 );
-# Kill the server.
-kill TERM, $pid;
+ # Kill the server.
+ kill TERM, $pid;
-# Flush IPSEC configuration.
-system "$basedir/ipsec-flush";
+ # Flush IPSEC configuration.
+ system "/bin/sh $basedir/ipsec-flush";
+}
# Load iptables (IPv4 & IPv6) configuration.
-system "$basedir/iptables-load";
+system "/bin/sh $basedir/iptables-load";
# Start the stream server.
if ( ( $pid = fork() ) == 0 ) {
exec "runcon -t test_inet_server_t -- $basedir/server -n stream 65535";
}
-sleep 1; # Give it a moment to initialize.
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
# Verify that authorized client can communicate with the server.
$result = system
@@ -265,7 +413,7 @@ if ( ( $pid = fork() ) == 0 ) {
exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535";
}
-sleep 1; # Give it a moment to initialize
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize
# Verify that authorized client can communicate with the server.
$result = system
@@ -291,6 +439,40 @@ ok( $result >> 8 eq 8 );
kill TERM, $pid;
# Flush iptables configuration.
-system "$basedir/iptables-flush";
+system "/bin/sh $basedir/iptables-flush";
+
+if ($test_calipso_stream) {
+
+ # Load NetLabel configuration for CALIPSO/IPv6 labeling over loopback.
+ system "/bin/sh $basedir/calipso-load";
+
+ # Start the stream server.
+ if ( ( $pid = fork() ) == 0 ) {
+ exec
+"runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream 65535";
+ }
+
+ select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
+
+ # Verify that authorized client can communicate with the server.
+ $result = system
+"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream ::1 65535";
+ ok( $result eq 0 );
+
+# Verify that authorized client can communicate with the server using different valid level.
+ $result = system
+"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream ::1 65535";
+ ok( $result eq 0 );
+
+# Verify that authorized client cannot communicate with the server using invalid level.
+ $result = system
+"runcon -t test_inet_client_t -l s0:c8.c12 -- $basedir/client stream ::1 65535 2>&1";
+ ok( $result >> 8 eq 5 );
+
+ # Kill the stream server.
+ kill TERM, $pid;
+
+ system "/bin/sh $basedir/calipso-flush";
+}
exit;
1) Determine number of tests to run with current config.
2) Add CALIPSO STREAM tests (DGRAM not supported in kernel. See [1]).
3) Add support for CIPSO TAGS 1 & 2. Closes [2].
4) Run scripts using /bin/sh.
5) Shorten sleep time as more tests.
[1] https://github.com/SELinuxProject/selinux-kernel/issues/24
[2] https://github.com/SELinuxProject/selinux-testsuite/issues/1
Signed-off-by: Richard Haines <***@btinternet.com>
---
tests/inet_socket/calipso-flush | 5 +
tests/inet_socket/calipso-load | 7 +
tests/inet_socket/cipso-fl-flush | 0
tests/inet_socket/cipso-fl-load | 0
tests/inet_socket/cipso-flush | 0
tests/inet_socket/cipso-load-t1 | 11 +
tests/inet_socket/cipso-load-t2 | 11 +
tests/inet_socket/{cipso-load => cipso-load-t5} | 0
tests/inet_socket/ipsec-flush | 0
tests/inet_socket/ipsec-load | 0
tests/inet_socket/iptables-flush | 0
tests/inet_socket/iptables-load | 0
tests/inet_socket/server.c | 16 +-
tests/inet_socket/test | 348 ++++++++++++++++++------
14 files changed, 310 insertions(+), 88 deletions(-)
create mode 100644 tests/inet_socket/calipso-flush
create mode 100644 tests/inet_socket/calipso-load
mode change 100755 => 100644 tests/inet_socket/cipso-fl-flush
mode change 100755 => 100644 tests/inet_socket/cipso-fl-load
mode change 100755 => 100644 tests/inet_socket/cipso-flush
create mode 100644 tests/inet_socket/cipso-load-t1
create mode 100644 tests/inet_socket/cipso-load-t2
rename tests/inet_socket/{cipso-load => cipso-load-t5} (100%)
mode change 100755 => 100644
mode change 100755 => 100644 tests/inet_socket/ipsec-flush
mode change 100755 => 100644 tests/inet_socket/ipsec-load
mode change 100755 => 100644 tests/inet_socket/iptables-flush
mode change 100755 => 100644 tests/inet_socket/iptables-load
mode change 100755 => 100644 tests/inet_socket/test
diff --git a/tests/inet_socket/calipso-flush b/tests/inet_socket/calipso-flush
new file mode 100644
index 0000000..5143962
--- /dev/null
+++ b/tests/inet_socket/calipso-flush
@@ -0,0 +1,5 @@
+#!/bin/sh
+# Reset NetLabel configuration to unlabeled after CALIPSO/IPv6 tests.
+netlabelctl map del default
+netlabelctl calipso del doi:16
+netlabelctl map add default protocol:unlbl
diff --git a/tests/inet_socket/calipso-load b/tests/inet_socket/calipso-load
new file mode 100644
index 0000000..4bb9c7f
--- /dev/null
+++ b/tests/inet_socket/calipso-load
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Define a doi for testing loopback for CALIPSO/IPv6.
+netlabelctl calipso add pass doi:16
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:::1 protocol:calipso,16
diff --git a/tests/inet_socket/cipso-fl-flush b/tests/inet_socket/cipso-fl-flush
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/cipso-fl-load b/tests/inet_socket/cipso-fl-load
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/cipso-flush b/tests/inet_socket/cipso-flush
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/cipso-load-t1 b/tests/inet_socket/cipso-load-t1
new file mode 100644
index 0000000..974e746
--- /dev/null
+++ b/tests/inet_socket/cipso-load-t1
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Based on http://paulmoore.livejournal.com/7234.html.
+#
+# Modifications:
+# - Defined a doi for testing loopback for CIPSOv4.
+
+netlabelctl cipsov4 add pass doi:16 tags:1
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
diff --git a/tests/inet_socket/cipso-load-t2 b/tests/inet_socket/cipso-load-t2
new file mode 100644
index 0000000..9892f81
--- /dev/null
+++ b/tests/inet_socket/cipso-load-t2
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Based on http://paulmoore.livejournal.com/7234.html.
+#
+# Modifications:
+# - Defined a doi for testing loopback for CIPSOv4.
+
+netlabelctl cipsov4 add pass doi:16 tags:2
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
diff --git a/tests/inet_socket/cipso-load b/tests/inet_socket/cipso-load-t5
old mode 100755
new mode 100644
similarity index 100%
rename from tests/inet_socket/cipso-load
rename to tests/inet_socket/cipso-load-t5
diff --git a/tests/inet_socket/ipsec-flush b/tests/inet_socket/ipsec-flush
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/iptables-flush b/tests/inet_socket/iptables-flush
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/iptables-load b/tests/inet_socket/iptables-load
old mode 100755
new mode 100644
diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c
index 2801397..c8383b4 100644
--- a/tests/inet_socket/server.c
+++ b/tests/inet_socket/server.c
@@ -79,11 +79,17 @@ int main(int argc, char **argv)
perror("socket");
exit(1);
}
- result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on));
- if (result < 0) {
- perror("setsockopt: SO_PASSSEC");
- close(sock);
- exit(1);
+
+ /* Allow retrieval of UDP/Datagram security contexts for IPv4 as
+ * IPv6 is not currently supported.
+ */
+ if (hints.ai_socktype == SOCK_DGRAM) {
+ result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on));
+ if (result < 0) {
+ perror("setsockopt: IP_PASSSEC");
+ close(sock);
+ exit(1);
+ }
}
result = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
diff --git a/tests/inet_socket/test b/tests/inet_socket/test
old mode 100755
new mode 100644
index 0bda2a4..6684260
--- a/tests/inet_socket/test
+++ b/tests/inet_socket/test
@@ -2,27 +2,43 @@
use Test::More;
BEGIN {
- # check if ip xfrm supports ctx parameter
- if ( system("ip xfrm policy help 2>&1 | grep -q ctx") != 0 ) {
- plan skip_all => "ctx not supported in ip xfrm policy";
+ $basedir = $0;
+ $basedir =~ s|(.*)/[^/]*|$1|;
+
+ $test_count = 38;
+
+ $test_ipsec = 0;
+ if ( system("ip xfrm policy help 2>&1 | grep -q ctx") eq 0 ) {
+ $test_count += 8;
+ $test_ipsec = 1;
}
- else {
- plan tests => 33;
+
+ # Determine if CALIPSO supported by netlabelctl(8) and kernel.
+ $test_calipso_stream = 0;
+ $netlabelctl = `netlabelctl -V`;
+ $netlabelctl =~ s/\D//g;
+ $kvercur = `uname -r`;
+ chomp($kvercur);
+ $kverminstream = "4.8";
+
+ $rc = `$basedir/../kvercmp $kvercur $kverminstream`;
+ if ( $netlabelctl gt "021" and $rc > 0 ) {
+ $test_count += 3;
+ $test_calipso_stream = 1;
}
-}
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+ plan tests => $test_count;
+}
-# Load NetLabel configuration for full CIPSO4 labeling over loopback.
-system "$basedir/cipso-fl-load";
+# Load NetLabel configuration for full CIPSO/IPv4 labeling over loopback.
+system "/bin/sh $basedir/cipso-fl-load";
# Start the stream server.
if ( ( $pid = fork() ) == 0 ) {
exec "runcon -t test_inet_server_t $basedir/server stream 65535";
}
-sleep 1; # Give it a moment to initialize.
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
# Verify that authorized client can communicate with the server.
$result =
@@ -42,7 +58,7 @@ if ( ( $pid = fork() ) == 0 ) {
exec "runcon -t test_inet_server_t $basedir/server dgram 65535";
}
-sleep 1; # Give it a moment to initialize
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize
# Verify that authorized client can communicate with the server.
$result =
@@ -58,32 +74,90 @@ ok( $result >> 8 eq 9 );
kill TERM, $pid;
# Flush NetLabel configuration.
-system "$basedir/cipso-fl-flush";
+system "/bin/sh $basedir/cipso-fl-flush";
+
+# Load NetLabel configuration for CIPSO/IPv4 using TAG 1 over loopback.
+system "/bin/sh $basedir/cipso-load-t1";
+
+# Start the stream server with a defined level.
+if ( ( $pid = fork() ) == 0 ) {
+ exec
+"runcon -t test_inet_server_t -l s0:c20.c250 $basedir/server stream 65535";
+}
+
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
+
+# Verify that authorized client can communicate with the server using level within T1 range.
+$result = system
+"runcon -t test_inet_client_t -l s0:c61.c239 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c61.c239 stream 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify that authorized client cannot communicate with the server using different level.
+$result = system
+"runcon -t test_inet_client_t -l s0:c19,c120 $basedir/client stream 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 5 );
+
+# TAG 1 allows categories 0 to 239 to be sent, if greater then ENOSPC (No space left on device)
+$result = system
+"runcon -t test_inet_client_t -l s0:c0.c240 $basedir/client stream 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 5 );
+
+# Kill the server.
+kill TERM, $pid;
+
+# Start the dgram server with a defined level.
+if ( ( $pid = fork() ) == 0 ) {
+ exec
+ "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server dgram 65535";
+}
+
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
+
+# Verify that authorized client can communicate with the server using same levels.
+$result = system
+"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify that authorized client cannot communicate with the server using levels dominating the server.
+$result = system
+"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 9 );
+
+# Kill the server.
+kill TERM, $pid;
+
+# Flush NetLabel configuration.
+system "/bin/sh $basedir/cipso-flush";
-# Load NetLabel configuration for CIPSO4 over loopback.
-system "$basedir/cipso-load";
+# Load NetLabel configuration for CIPSO/IPv4 using TAG 2 over loopback.
+system "/bin/sh $basedir/cipso-load-t2";
# Start the stream server with a defined level.
if ( ( $pid = fork() ) == 0 ) {
exec
- "runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream 65535";
+ "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server stream 65535";
}
-sleep 1; # Give it a moment to initialize.
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
# Verify that authorized client can communicate with the server using level.
$result = system
-"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream 127.0.0.1 65535";
+"runcon -t test_inet_client_t -l s0:c90.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c90.c100 stream 127.0.0.1 65535";
ok( $result eq 0 );
# Verify that authorized client can communicate with the server using level.
$result = system
-"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream 127.0.0.1 65535";
+"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 stream 127.0.0.1 65535";
ok( $result eq 0 );
# Verify that authorized client cannot communicate with the server using different level.
$result = system
-"runcon -t test_inet_client_t -l s0:c8.c12 $basedir/client stream 127.0.0.1 65535 2>&1";
+"runcon -t test_inet_client_t -l s0:c101 $basedir/client stream 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 5 );
+
+# TAG 2 allows a maximum of 15 categories in exchange, if greater then ENOSPC (No space left on device)
+$result = system
+"runcon -t test_inet_client_t -l s0:c0.c16 -- $basedir/client dgram 127.0.0.1 65535 2>&1";
ok( $result >> 8 eq 5 );
# Kill the server.
@@ -92,26 +166,95 @@ kill TERM, $pid;
# Start the dgram server with a defined level.
if ( ( $pid = fork() ) == 0 ) {
exec
- "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server dgram 65535";
+ "runcon -t test_inet_server_t -l s0:c0.c14 $basedir/server dgram 65535";
}
-sleep 1; # Give it a moment to initialize.
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
# Verify that authorized client can communicate with the server using same levels.
$result = system
-"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1 65535";
+"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 dgram 127.0.0.1 65535";
ok( $result eq 0 );
# Verify that authorized client cannot communicate with the server using levels dominating the server.
$result = system
-"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram 127.0.0.1 65535 2>&1";
+"runcon -t test_inet_client_t -l s0:c15 $basedir/client dgram 127.0.0.1 65535 2>&1";
ok( $result >> 8 eq 9 );
# Kill the server.
kill TERM, $pid;
# Flush NetLabel configuration.
-system "$basedir/cipso-flush";
+system "/bin/sh $basedir/cipso-flush";
+
+# Load NetLabel configuration for CIPSO/IPv4 using TAG 5 over loopback.
+# TAG 5 allows a maximum of 7 ranges in exchange, if greater then ENOSPC (No space left on device), however
+# note from kernel net/ipv4/cipso_ipv4.c comments:
+# * You may note that the IETF draft states that the maximum number
+# * of category ranges is 7, but if the low end of the last category range is
+# * zero then it is possible to fit 8 category ranges because the zero should
+# * be omitted. */
+system "/bin/sh $basedir/cipso-load-t5";
+
+# Start the stream server with a defined level.
+if ( ( $pid = fork() ) == 0 ) {
+ exec
+ "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server stream 65535";
+}
+
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
+
+# Verify that authorized client can communicate with the server using level.
+$result = system
+"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 stream 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify that authorized client can communicate with the server using level.
+$result = system
+"runcon -t test_inet_client_t -l s0:c8.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c100 stream 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify that authorized client cannot communicate with the server using different level.
+$result = system
+"runcon -t test_inet_client_t -l s0:c8.c101 $basedir/client stream 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 5 );
+
+# Verify ok with the 8 entries when cat c0:
+$result = system
+"runcon -t test_inet_client_t -l s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 stream 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify fail with the 8 entries when cat !c0:
+$result = system
+"runcon -t test_inet_client_t -l s0:c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88,c90.c99 $basedir/client stream 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 5 );
+
+# Kill the server.
+kill TERM, $pid;
+
+# Start the dgram server with a defined level.
+if ( ( $pid = fork() ) == 0 ) {
+ exec
+ "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server dgram 65535";
+}
+
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
+
+# Verify that authorized client can communicate with the server using same levels.
+$result = system
+"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 dgram 127.0.0.1 65535";
+ok( $result eq 0 );
+
+# Verify that authorized client cannot communicate with the server using levels dominating the server.
+$result = system
+"runcon -t test_inet_client_t -l s0:c40.c101 $basedir/client dgram 127.0.0.1 65535 2>&1";
+ok( $result >> 8 eq 9 );
+
+# Kill the server.
+kill TERM, $pid;
+
+# Flush NetLabel configuration.
+system "/bin/sh $basedir/cipso-flush";
# Verify that authorized domain can bind UDP sockets.
$result = system "runcon -t test_inet_bind_t -- $basedir/bind dgram 65535 2>&1";
@@ -151,91 +294,96 @@ $result =
system "runcon -t test_inet_no_name_connect_t -- $basedir/connect 65535 2>&1";
ok($result);
-# Load IPSEC configuration.
-system "$basedir/ipsec-load";
+if ($test_ipsec) {
-# Start the stream server.
-if ( ( $pid = fork() ) == 0 ) {
- exec "runcon -t test_inet_server_t $basedir/server stream 65535";
-}
+ # Load IPSEC configuration.
+ system "/bin/sh $basedir/ipsec-load";
-sleep 1; # Give it a moment to initialize.
+ # Start the stream server.
+ if ( ( $pid = fork() ) == 0 ) {
+ exec "runcon -t test_inet_server_t $basedir/server stream 65535";
+ }
-# Verify that authorized client can communicate with the server.
-$result =
- system "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535";
-ok( $result eq 0 );
+ select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
+ # Verify that authorized client can communicate with the server.
+ $result =
+ system
+ "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535";
+ ok( $result eq 0 );
+
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
"runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 5 );
+ ok( $result >> 8 eq 5 );
-# Verify that authorized client can communicate with the server.
-$result =
- system "runcon -t test_inet_client_t $basedir/client stream ::1 65535";
-ok( $result eq 0 );
+ # Verify that authorized client can communicate with the server.
+ $result =
+ system "runcon -t test_inet_client_t $basedir/client stream ::1 65535";
+ ok( $result eq 0 );
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
- "runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1";
-ok( $result >> 8 eq 5 );
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
+"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1";
+ ok( $result >> 8 eq 5 );
-# Kill the server.
-kill TERM, $pid;
+ # Kill the server.
+ kill TERM, $pid;
-# Start the dgram server.
-if ( ( $pid = fork() ) == 0 ) {
- exec "runcon -t test_inet_server_t $basedir/server dgram 65535";
-}
+ # Start the dgram server.
+ if ( ( $pid = fork() ) == 0 ) {
+ exec "runcon -t test_inet_server_t $basedir/server dgram 65535";
+ }
-sleep 1; # Give it a moment to initialize
+ select( undef, undef, undef, 0.25 ); # Give it a moment to initialize
-# Verify that authorized client can communicate with the server.
-$result =
- system "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535";
-ok( $result eq 0 );
+ # Verify that authorized client can communicate with the server.
+ $result =
+ system
+ "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535";
+ ok( $result eq 0 );
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
"runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 8 );
+ ok( $result >> 8 eq 8 );
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
- "runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1";
-ok( $result >> 8 eq 8 );
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
+"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1";
+ ok( $result >> 8 eq 8 );
-# Kill the server.
-kill TERM, $pid;
+ # Kill the server.
+ kill TERM, $pid;
# Start the dgram server for IPSEC test using IPv6 but do not request peer context.
-if ( ( $pid = fork() ) == 0 ) {
- exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535";
-}
+ if ( ( $pid = fork() ) == 0 ) {
+ exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535";
+ }
-sleep 1; # Give it a moment to initialize
+ select( undef, undef, undef, 0.25 ); # Give it a moment to initialize
-# This test now passes.
-$result = system
- "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
-ok( $result eq 0 );
+ # This test now passes.
+ $result = system
+ "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
+ ok( $result eq 0 );
-# Kill the server.
-kill TERM, $pid;
+ # Kill the server.
+ kill TERM, $pid;
-# Flush IPSEC configuration.
-system "$basedir/ipsec-flush";
+ # Flush IPSEC configuration.
+ system "/bin/sh $basedir/ipsec-flush";
+}
# Load iptables (IPv4 & IPv6) configuration.
-system "$basedir/iptables-load";
+system "/bin/sh $basedir/iptables-load";
# Start the stream server.
if ( ( $pid = fork() ) == 0 ) {
exec "runcon -t test_inet_server_t -- $basedir/server -n stream 65535";
}
-sleep 1; # Give it a moment to initialize.
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
# Verify that authorized client can communicate with the server.
$result = system
@@ -265,7 +413,7 @@ if ( ( $pid = fork() ) == 0 ) {
exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535";
}
-sleep 1; # Give it a moment to initialize
+select( undef, undef, undef, 0.25 ); # Give it a moment to initialize
# Verify that authorized client can communicate with the server.
$result = system
@@ -291,6 +439,40 @@ ok( $result >> 8 eq 8 );
kill TERM, $pid;
# Flush iptables configuration.
-system "$basedir/iptables-flush";
+system "/bin/sh $basedir/iptables-flush";
+
+if ($test_calipso_stream) {
+
+ # Load NetLabel configuration for CALIPSO/IPv6 labeling over loopback.
+ system "/bin/sh $basedir/calipso-load";
+
+ # Start the stream server.
+ if ( ( $pid = fork() ) == 0 ) {
+ exec
+"runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream 65535";
+ }
+
+ select( undef, undef, undef, 0.25 ); # Give it a moment to initialize.
+
+ # Verify that authorized client can communicate with the server.
+ $result = system
+"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream ::1 65535";
+ ok( $result eq 0 );
+
+# Verify that authorized client can communicate with the server using different valid level.
+ $result = system
+"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream ::1 65535";
+ ok( $result eq 0 );
+
+# Verify that authorized client cannot communicate with the server using invalid level.
+ $result = system
+"runcon -t test_inet_client_t -l s0:c8.c12 -- $basedir/client stream ::1 65535 2>&1";
+ ok( $result >> 8 eq 5 );
+
+ # Kill the stream server.
+ kill TERM, $pid;
+
+ system "/bin/sh $basedir/calipso-flush";
+}
exit;
--
2.14.3
2.14.3